Not OK, Cupid

I don’t usually like to call out the bad behaviour of specific companies, but the egregious mis-design and lack of acknowledging it justify this case.

Welcome to OkCupid

A couple of weeks ago, I started seeing many “Welcome to OkCupid” emails, both on my personal address and a couple of related addresses, but also to multiple Fastmail official contact addresses — legal, partnerships, press, etc. Specifically, this list included trash@brong.net — an address that has never been used to send or receive email and appears in precisely one place — an article on our blog! It seems quite clear that somebody scraped our website and used the addresses to sign up. I’m aware of at least 10 addresses, but there are likely others that either go to someone else or addresses that no longer exist.

It didn’t stop there, though. I’ve been getting tons of “someone likes you”, “you have an intro,” and even an “IMPORTANT: We removed your photo on OkCupid.” email saying that inappropriate content was posted to “our” account!

The real-world consequences of poor email validation

This isn’t just an inconvenience — it has real security implications. Websites that fail to properly validate email ownership can be exploited for malicious purposes. Attackers can use unverified sign-ups to flood inboxes, making it easier to hide critical emails among the noise — something we’ve discussed our own experience of in our post on 2FA vulnerabilities. There are established best practices (PDF) for handling email sign-ups responsibly, practices that OkCupid is failing to follow.

No way out

When I tried to unsubscribe using the one-click unsubscribe button in one of the emails, I was met with an error: “Something went wrong, please try again later.”

Curious, I tried to recover a password on one of these accounts (the one with my personal email address) and successfully changed the password. Then, I was asked to confirm my login with a message sent to the number associated with the account. A number I didn’t know. A number that wasn’t mentioned on that page, so I still don’t know anything about it — not even which country it was from.

This raises further security concerns; the attacker could have also caused random recovery numbers to be texted to another poor victim’s phone. Alternatively, they could confirm that my email address is actively monitored, increasing its value for further attacks. Either way, what I couldn’t do was actually close the account.

Whack-a-mole

So, I contacted OkCupid’s support. Here’s what they said:

I’ve removed the user from the site and banned the email address to prevent any new accounts from being created. That should resolve the issue, but if you encounter anything like this again in the future, please don’t hesitate to reach out, and we’ll address it right away.

So, I need to contact support manually for each new email address. This is neither scalable nor acceptable; people don’t have this amount of time.

Furthermore, my email address is now on another random blocklist somewhere on the internet, where I have no control and no way to unblock it. I don’t anticipate wanting to use OkCupid’s service, but if I did in the future, I would have to go through another dance to get the address unlocked again — or more likely, treat that particular email address as soiled and create another one.

Not OK

So I say, not OK, OkCupid. Not OK.

The usefulness of email depends on responsible behaviour from all service providers. Companies that engage in shady or outright inappropriate practices make the internet worse for everyone.

OkCupid’s failure to implement even the simplest form of email validation is unacceptable. Until they address these issues properly (not through the support response provided here), they remain part of the problem, not the solution.

Could we have avoided this?

In this case, we published those addresses online. There’s always a risk of receiving spam when you do that, one could even reasonably say “we were asking for it”. We expected spam. If you want to reduce your risk of being spammed, it helps to not publish your email address on the public web!

What we we didn’t was expect a relatively reputable service being used to facilitate us being spammed.

One great protection is using different address for each different organisation you deal with — that way if your address leaks (or they sell it), you know where the breach happened, and you can more easily block just the problem messages.

Fastmail’s masked email feature is a great way to implement this strategy. Masked emails are designed, particularly when integrated with a password manager, to make it very easy to create new addresses, and track where they are expected to be used.

Being a good internet citizen is one of Fastmail’s core values. We require verification for sending identities, ensuring that only legitimate users can send from an address they claim they own. This is the level of responsibility every email provider should uphold, and we applaud the others who also do.